OWASP TOP 10 APPLICATION SECURITY

OWASP TOP 10 APPLICATION SECURITY


The Open Web Application Security Project (OWASP) is a non-profit community helps organizations to develop secured applications. The OWASP Top 10 Web Application Security Risks was updated in 2017 to provide guidance to developers and security professionals on the most critical vulnerabilities that are commonly found in web applications, which are mostly found in web application.The list is usually refreshed in every 3-4 years.They come up with standards, freeware tools and conferences that help organizations as well as researchers.


The following identifies each of the OWASP Top 10 Web Application Security

1. Injection

Injection attacks occur when the user is able to input untrusted data tricking the application to execute unintended commands without proper authorization. Injections flaws can be – SQL injection, PHP injection, LDAP injection, Code injection and OS injection.

With a successful attack, an attacker can gain:
1. Unauthorized access to an application: An attacker can successfully bypass an application’s authentication mechanism to have illegitimate access to it.
2. Information disclosure: An attack could lead to a complete data leakage from the database server.
3. Loss of data availability: An attacker can delete records from the database server.
4. Compromised data integrity: As SQL statements are also used to modify or add the record, an attacker can use SQL injection to modify or add data stored in a database. This would lead to compromised data integrity.



Mitigation:

1. Validating data i.e rejecting suspicious-looking data.
2. Sanitizing user-submitted data, refers to cleaning up the suspicious parts of the data.
3. Prepared statements with parameterized queries.
4. Stored procedures.
5. Principle of least privilege. This is a standard security control that helps minimize the potential damage of a successful attack.For example, accounts that only require read access are only granted read access to the table they need to access.
6. A database admin can set controls to minimize the amount of information an injection attack can expose.



2. Broken Authentication


Vulnerabilities in Broken authentication occurs when the application is  incorrectly configured or mismanages session related information such that the user’s identity gets compromised. The information can be in the form of session cookies, passwords, secret keys etc

For example, an attacker can take a list containing thousands of known username/password combinations obtained during a data breach and use a script to try all those combinations on a login system to see if there are any that work.


Mitigation:
1. Use of multifactor authentication.
2. Use an SSL Certificate.
3. Idle session timeouts.
4. Using secured cookies.
5. Limiting repeated login attempts.
6. Enforce Strong Passwords.

3. Sensitive Data Exposure

Attackers can sniff or modify the sensitive data in web applications and APIs if not properly protected. Attack can lead to leak of financial data, usernames and passwords, or health information that could enable attackers to access such information to commit fraud or steal identities. One popular method for stealing sensitive information is using a man-in-the-middle(MITM) attack.

Mitigation:
1. Use strong encryption keys.
2. Encrypt all data in transit and at rest.
3. Use secure protocols and algorithms.
4. Disable caching of responses with sensitive data.




4. XML External Entity

This is an attack against a web application that parses XML* input. Poorly configured XML processors evaluate external entity references within XML documents. Attackers can use external entities for attacks including remote code execution, and to disclose internal files and SMB file shares.


Mitigation:
1. Accept less complex type of data.
2. Disable the use of external entities in an XML application.
3. Avoiding serialization of sensitive data.
4. Using WAF to detect and block XXE.
5. Code Review.
6. Whitelisting code at server side to prevent malicious XML upload.




5. Broken Access Control

Improperly configured application allows attackers to access unauthorized resource or other users’ accounts, viewing sensitive documents, modifying data and access rights. Applications have different types of account depending on the users such as admins, operators, reporting groups and many more. Common problem is that the developers restrict the privileges just on the UI side and not on the server side. If exploited, each user can have admin rights.

Mitigation:
1. Uses secured authorization tokens.
2. Restriction on access of all resources on basis roles.
3. Server side resource restriction.
4. Forced login/logout after a password change.
5. Invalidate tokens and cookies after logout.



6. Security Misconfiguration

This risk refers to improper implementation of controls such as misconfiguration of security headers, error messages containing sensitive information (information leakage), and not patching or upgrading systems, frameworks, and components.
This is the most common vulnerability on the list, and is often the result of using default configurations. Examples of these security misconfigurations are weak passwords, default passwords, default scripts stored on the servers, default directories, default error messages etc.


Mitigation:
1. Review the security of the configurations.
2. Install only the required features from a framework.
3. Do ensure that defaults are changed.
4. Ensuring that error messages are more general.



7. Cross-Site Scripting

Cross-site scripting vulnerabilities occur when web applications allow attacker to insert malicious code or untrusted script into a url path or onto the web application. XSS is of 3 type i.e Reflected, Stored and DOM based XSS.


Mitigation:
1. Enabling Content-Security-policy(CSP).
2. Escaping untrusted characters.
3. Validating data i.e rejecting suspicious-looking data.
4.Sanitizing user-submitted data, refers to cleaning up the suspicious parts of the data.



8. Insecure deserialization

Serialization means taking objects from the application code and converting them into a format that can be used for another purpose, such as storing the data to disk or streaming it. Deserialization is just the opposite: converting serialized data back into objects the application can use.

An insecure deserialization exploit is the result of deserializing data from untrusted sources, and can result in serious consequences like DDoS attacks and remote code execution, tamper or delete serialized (written to disk) objects, conduct injection attacks, and elevate privileges.

Mitigation:
1. Encryption of serialized data.
2. Deserializers to run with least privileges.




9. Using Components With Known Vulnerabilities

Web developers use components such as libraries and frameworks in their web applications and these component are piece of software that helps developers to avoid redundant work. So attacker look for vulnerability in these components and this can lead to hundreds of thousands of components vulnerable to attacks. Examples are use of vulnerable PHP version, Unpatched windows, out-dated kernel version and many more. Attackers can exploit an insecure component to take over the server or steal sensitive data.

Mitigation:
1. Frequently patch the process.
2. Remove unused components from their application.
3. Ensuring components are up to date.
4. Ensure components are recieved from a trusted source.


10. Insufficient Logging and Monitoring


To ensure the malicious intent of the attackers gets noticed, it is essential to log all the activity and monitor it for any suspicious behavior.For example, Junk traffic, too many login attempts from a particular source etc.The average discovery time for a breach is around 200 days after it has happened. Insufficient logging and ineffective integration with security incident response systems allow attackers to pivot to other systems and maintain persistent threats.

Mitigation:
1. 24x7 monitoring of application traffic.
2. Log analysis.
3. Implement incident response plans.













By Raj Shah

Comments

Popular posts from this blog

WiFi hacking (easy method)

Termux Tutorial

How to Crack Wifi Using The Aircrack-ng in kali linux

SQL Injection (SQLI)